hermes-agent

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-09 08:21:50 +00:00

History

Teknium 55fb422f6f fix(photon): isolate ALL secret-touching prints behind auth.py helpers CodeQL was still flagging three taint-flow alerts in cli.py — its flow tracker keeps spreading the 'sensitive' label through every variable that even touched a credential-returning function, including 'has_token = bool(load_photon_token())' and the redacted-response dict returned by persist_webhook_signing_secret. Refactor: 1. cli.py _cmd_status now calls a new auth.credential_summary() that returns a {key: pre-formatted display string} dict. All probes + bool checks happen inside the helper. cli.py never sees a token or secret variable, only literals like '✓ stored' / '✗ missing'. 2. persist_webhook_signing_secret(webhook_data, *, on_summary=print) now owns the formatting + writing + status messages. It returns only a bool. The redacted-response JSON dump + 'saved to <path>' confirmation are emitted via the on_summary callback, so cli.py passes as the sink and never receives the path/dict back. cli.py is now mechanical: register_webhook → persist (with print) → return 0/1. Zero credential-tainted variables in cli.py at all. 3. Tests updated for the new signatures and a credential_summary guard added (the helper must never leak raw token/secret bytes into its return strings). Validation: tests/plugins/platforms/photon/ → 25/25 pass scripts/check-windows-footguns.py --all → 0 footguns py_compile clean	2026-06-08 13:38:30 -07:00
..
photon	fix(photon): isolate ALL secret-touching prints behind auth.py helpers	2026-06-08 13:38:30 -07:00

Teknium 55fb422f6f fix(photon): isolate ALL secret-touching prints behind auth.py helpers

CodeQL was still flagging three taint-flow alerts in cli.py — its
flow tracker keeps spreading the 'sensitive' label through every
variable that even touched a credential-returning function, including
'has_token = bool(load_photon_token())' and the redacted-response
dict returned by persist_webhook_signing_secret.

Refactor:

1. cli.py _cmd_status now calls a new auth.credential_summary() that
   returns a {key: pre-formatted display string} dict. All probes +
   bool checks happen inside the helper. cli.py never sees a token
   or secret variable, only literals like '✓ stored' / '✗ missing'.

2. persist_webhook_signing_secret(webhook_data, *, on_summary=print)
   now owns the formatting + writing + status messages. It returns
   only a bool. The redacted-response JSON dump + 'saved to <path>'
   confirmation are emitted via the on_summary callback, so cli.py
   passes  as the sink and never receives the path/dict back.

   cli.py is now mechanical: register_webhook → persist (with print)
   → return 0/1. Zero credential-tainted variables in cli.py at all.

3. Tests updated for the new signatures and a credential_summary
   guard added (the helper must never leak raw token/secret bytes
   into its return strings).

Validation:
  tests/plugins/platforms/photon/ → 25/25 pass
  scripts/check-windows-footguns.py --all → 0 footguns
  py_compile clean

2026-06-08 13:38:30 -07:00

photon

fix(photon): isolate ALL secret-touching prints behind auth.py helpers

2026-06-08 13:38:30 -07:00